During the first six months of 2020, nearly 20 countries saw COVID-themed lures. A significant portion of scanned attachment threats leveraged COVID-19 themes, from commodity criminals to nation-state threat actors. During the height of the pandemic in March, healthcare organizations, compared to other industries, received approximately 16% more malicious messages associated with these campaigns. The examples below are a few highlights from our 2020 Healthcare Threat Landscape report and serve as cybersecurity lessons from the pandemic.
Large-Scale Cyber Attacks
Large scale attackers represented 64% of the threats received by the healthcare industry in 2020. They operate by sending high volumes of threats to many different recipient organizations, where the speed and variable change in techniques or features, such as unique URLs or MACRO features in an attachment, drive the operational scale. Large-scale attacks generally exhibit sector-agnostic targeting. One of the most prevalent threats was from Proofpoint’s flagship scale actor, TA505. TA505 focuses on large-scale crimeware campaigns that use SDBot and Get2 as primary malware. In this campaign, 78% of over 250,000 malicious messages were intended for pharmaceutical and life science organizations. This threat spoofed employees from a business support service for clinical trials. The subjects included billing information and in one case a clinical researchers name who is researching antibody therapy to prevent and treat COVID-19.
Revenge of the Clones
In our report, we identified several key campaigns that demonstrated more specific variance in message volume, vector of delivery and potential risk to a specific vertical in the healthcare sector. One campaign example, an unknown attacker developed a cloned portal with emails with subject lines such as "updating our Privacy Notice". The lures contained URLs leading to a credential-harvesting attempt from a webpage clone of the legitimate authentication portal for Blue Cross Blue Shield in Michigan. Message senders were spoofed to appear as though they originated from the "Blue Cross Blue Shield Association". The emails also included a graphic image tag that loaded the BCBS logo from the attacker's page.
Email-based Ransomware Attacks Give Way to Downloaders, but Ransomware is Still a Threat
Ransomware continues to be problematic for the healthcare industry despite an overall volume decrease since 2019 and a general flattening in 2020. First-stage ransomware campaigns comprised only 1% of the observed threats in Proofpoint data, while downloaders that could lead to a subsequent ransomware payload remained common. Anecdotal insights from public reporting corroborate a flattening of the ransomware curve and may suggest actors have migrated away from using email. Proofpoint researchers however do see distributions of FTCode, Nemty, Buran and new arrivals, such as Avaddon and other “boutique” variants, delivered in email. Certain sectors such as critical infrastructure have experienced increased ransomware attacks in 2020, and healthcare remains a top target of campaigns that largely have begun with downloader infections.
Email Fraud on the Rise
Overall, our researchers are seeing more threat actors using social engineering in place of the more conventional threats such as URLs or malware. These attacks target people and their relationships with their supply chains and are often very conversational in nature. The use of old conversations, invoices and approval letters lend themselves well when attempting to legitimize an illegal transfer of funds in communications.
Threats: Both Targeted At, Operated by People
Today’s cyber attacks target people, not technology. That’s why healthcare organizations must take a people-centered approach to securing their clinical workers, non-clinical employees, and the sensitive data they use and share. The nature of clinical work requires a focus on providing optimal patient care, often at a rapid pace, rather than considering the legitimacy of an email. It’s one reason the industry remains an easy target for malicious activity. And the potential payoff of successful attacks is high. Our 2020 report explores what we call Very Attacked People™ (VAPs) in healthcare. We use the term to describe users within an organization who are the most heavily targeted by cyber threats. We compared real-world examples of VAPs within five categories of healthcare. For example, in comparing two teaching hospitals, the hospital email accounts most targeted by attackers are professors who have access to academic research often under research grants from third-party medical or commercial organizations. How would you change your approach if you knew who is actually being attacked in your organization?
What You Can Do
To defend against these people-based threats, healthcare organizations need to understand who within their organizations are being targeted. Our report provided a detailed set of recommendations to protect your people in the way they work today. The best place to start is with the basics and invest in three essential areas:
- An advanced email security gateway with data loss prevention (DLP) protection to stop threats from reaching healthcare personnel. Security teams need visibility into their most targeted people and the ability to enact strict cybersecurity policies to understand if, when, and how data is being exfiltrated. Look for a solution that works in the flow of email and analyzes suspicious and URLs using static and dynamic techniques across multiple stages of an attack. It should capture advanced threats and record the patterns, behaviors, and tradecraft as well.
- Because attacks overwhelmingly aimed at specific people, it’s crucial to conduct continuous security awareness training for every employee with access to the system. Employee training will empower users to recognize and report suspicious emails and provide guidance on how to proactively alert the security team.
- And finally, facilities should deploy an email validation system called Domain-based Message Authentication Reporting and Conformance (DMARC) to detect and prevent email spoofing. DAMRC helps stop attackers from using sender addresses that appear to come from legitimate healthcare organizations, which can significantly reduce email fraud risk.
Proofpoint Threat Researchers analyzed thousands of campaign signals against millions of messages to bring quantifiable, anecdotal, and estimative insights to the healthcare industry.